On Mon, Jan 24, 2022 at 05:25:57PM +0100, Christian Brauner wrote:
> On Fri, Jan 21, 2022 at 03:59:52PM +0000, gmgod@xxxxx wrote:
> > Dear all,
> >
> > Has anyone tried to run a rootless container, or simply pull an image, from a systemd-homed session?
> >
> > For some reason I am told there are potentially insufficient UIDs or GIDs available:
> >
> > $ buildah from quay.io/fedora/fedora
> > Trying to pull quay.io/fedora/fedora:latest...
> > Getting image source signatures
> > Copying blob 4545346f2a49 done
> > writing blob: adding layer with blob "sha256:4545346f2a492b62d5a82682efe19b0e8e7583d5c19f75a74c81d62ec536c32d": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 0:12 for /var/spool/mail): Check /etc/subuid and /etc/subgid: lchown /var/spool/mail: invalid argument
> >
> > But my /etc/sub{u,g}id are properly populated, `podman system migrate` runs without complaining and the subids *are* just available:
> >
> > $ buildah unshare cat /proc/self/uid_map
> > 0 60097 1
> > 1 100000 65536
> >
> > This is only happening in systemd-homed user sessions: normal users just work.
> > Using `sudo homectl with <user> -- buildah from quay.io/fedora/fedora` also works.
> >
> > It looks like an important capability is dropped in systemd-homed session specifically that prevents id change.
> > Do you have any idea what it could be?
>
> Hey Gaël,
>
> I've spent some time looking into this as I had a hunch where the issue
> comes from. This is related to how systemd implements home directories
> making use of idmappings for the user's home directory on kernels that
> support it.
>
> As it stands systemd-homed allocates a very narrow range of ids for a
> users home directory causing podman and other tools to not be able to
> write ids in ranges > 60513. As you can see podman - with your mapping -
> tries to write as uid 100000 but that id isn't mapped in systemd-homed.
> I'll try to come up with a patch that fixes this and will propose it for
> systemd upstream.
I sent a pull-request explaining the issue and proposing a fix. It will
take a little while since we need to make a design decision but I'm
confident this will be fixed:
https://github.com/systemd/systemd/pull/22239
Re: Rootless podman/buildah pull with systemd-homed fails -- important CAP dropped?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Rootless podman/buildah pull with systemd-homed fails -- important CAP dropped?
- From: Christian Brauner <brauner@xxxxxxxxxx>
- Date: Tue, 25 Jan 2022 11:06:24 +0100
- Cc: "systemd-devel@xxxxxxxxxxxxxxxxxxxxx" <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <20220124162557.wm7g2nakyxqtjidh@wittgenstein>
- References: <iD7zi88vKnnFcsEIfSY3wkOzHMI7pjWucrni6YKqdkJKDqhTqhVwZ7mI4QUQBQwHh8MCu18R3AJF1JhJDLMXilhj_Q0CpOKS-Z22wtuueX0=@pm.me> <20220124162557.wm7g2nakyxqtjidh@wittgenstein>
- References:
- Prev by Date: Re: sd_bus_process() + sd_bus_wait() is it not suitable for application?
- Next by Date: Re: Launching script that needs network before suspend
- Previous by thread: Re: Rootless podman/buildah pull with systemd-homed fails -- important CAP dropped?
- Next by thread: sd_bus_process() + sd_bus_wait() is it not suitable for application?
- Index(es):
 |